Skip to main content

Assess with Zift

Overview

Before you can govern authorization, you have to find it. In most codebases the authorization logic is not in one place: it is scattered across role checks, permission guards, and middleware, mixed into application code. Zift is the assess product in the EnforceAuth AI Security Fabric. It scans a codebase, finds that embedded authorization, and extracts it to Rego so a Policy Decision Point (OPA or Enterprise OPA) can make the decision instead of the app.

This course teaches how Zift works: the two-pass scan model, extracting findings to Rego, and the externalization percentage, the metric a CISO uses to track how much authorization has moved out of code and under policy control.

Who this is for

Both EnforceAuth customers and open-source OPA users on the Associate track. Zift is open source (a Rust scanner). You do not run Zift to complete this course: the graded lab hands you a Zift-extracted policy and you author its decision rules in Rego, then validate them with opa. The lab requires writing Rego, so complete OPA & Enterprise OPA Fundamentals (opa-eopa-fundamentals) first, it covers default-deny, incremental allow if rules, the in operator, and writing tests with with input as.

Outcomes

By the end of this course you will be able to:

  • Explain why embedded authorization is a security problem and what Zift finds.
  • Describe Zift's two-pass model: a structural (tree-sitter) pass and a --deep LLM-assisted pass.
  • Read a Zift-extracted Rego policy and reason about the decision it encodes.
  • Define the externalization percentage and explain what it tells a CISO.

Lessons

  1. Embedded authorization and the Authorization Gap
  2. How Zift scans: the two-pass model
  3. Extracting findings to Rego
  4. The externalization percentage

Hands-on lab

This course includes a hands-on lab in lab/. It is a policy Zift extracted from a document service with its two allow decision rules removed; you implement them in lab/policy.rego until the test suite passes. Clone the public labs repo and run:

git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/assess-with-zift -v

The starter reports PASS: 4/8; your target is PASS: 8/8. Keep iterating until opa test is green.

Certification

Counts toward the Associate track. Certification is a machine-graded practical: you author a policy that the assessment engine runs against a hidden opa test suite you do not see. This lab is practice for that exam, a short quiz reinforces the concepts, but the graded bar is your policy passing the hidden suite.